diff options
author | Patrick McHardy <kaber@trash.net> | 2006-08-13 18:06:02 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-08-13 18:06:02 -0700 |
commit | 1c7628bd7a458faf7c96ef521f6d3a5ea9b106b8 (patch) | |
tree | 45c4a21ee032a813df08dd4e4dc47b0a14fa571d | |
parent | 97c802a113989800430a981b6f36b14c62163d37 (diff) |
[NETFILTER]: xt_hashlimit: fix limit off-by-one
Hashlimit doesn't account for the first packet, which is inconsistent
with the limit match.
Reported by ryan.castellucci@gmail.com, netfilter bugzilla #500.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/netfilter/ipt_hashlimit.c | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/net/ipv4/netfilter/ipt_hashlimit.c b/net/ipv4/netfilter/ipt_hashlimit.c index 6b662449e825..3bd2368e1fc9 100644 --- a/net/ipv4/netfilter/ipt_hashlimit.c +++ b/net/ipv4/netfilter/ipt_hashlimit.c @@ -454,15 +454,12 @@ hashlimit_match(const struct sk_buff *skb, dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg * hinfo->cfg.burst); dh->rateinfo.cost = user2credits(hinfo->cfg.avg); - - spin_unlock_bh(&hinfo->lock); - return 1; + } else { + /* update expiration timeout */ + dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire); + rateinfo_recalc(dh, now); } - /* update expiration timeout */ - dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire); - - rateinfo_recalc(dh, now); if (dh->rateinfo.credit >= dh->rateinfo.cost) { /* We're underlimit. */ dh->rateinfo.credit -= dh->rateinfo.cost; |